Tag Archives: LDAP

The free alternative to Windows Server Active Directory/Domain Controller, Samba4, has been in the making for years and continues to inch closer to a stable release. The feature set is now frozen and the development team is busy squashing major bugs before labeling Samba4 stable for production use.

Our experience with Samba4 as a small office domain controller has been a stable, bug free experience. The installation on our Ubuntu server was fairly painless when following the HOW-TO located on the official Samba website. The DC has yet to crash or cause any problems with the PC’s on our diverse network.

Samba4 packs everything you expect from a Windows Domain Controller into a free open source package. Samba4 is in a unique position to shake up the Domain Controller market by making a free option to pricey Microsoft options. I am excited to see Samba4 reach the stable release, so that I can begin implementation outside of our networks.

Samba4 Features

Samba 4.0 supports the server-side of the Active Directory logon environment used by Windows 2000 and later, so we can do full domain join and domain logon operations with these clients.

Our Domain Controller (DC) implementation includes our own built-in LDAP server and Kerberos Key Distribution Center (KDC) as well as the Samba3-like logon services provided over CIFS. We correctly generate the infamous Kerberos PAC, and include it with the Kerberos tickets we issue.

Samba 4.0.0rc5 ships with two distinct file servers. We now use the file server from the Samba 3.x series ‘smbd’ for all file serving by default.

Samba 4.0 also ships with the ‘NTVFS’ file server. This file server is what was used in all previous releases of Samba 4.0, and is tuned to match the requirements of an AD domain controller. We continue to support this, not only to provide continuity to installations that have deployed it as part of an AD DC, but also as a running example of the NT-FSA architecture we expect to move smbd to in the longer term.

For pure file server work, the binaries users would expect from that series (nmbd, winbindd, smbpasswd) continue to be available. When running an AD DC, you only need to run ‘samba’ (not nmbd/smbd/winbind), as the required services are co-coordinated by this master binary.

As DNS is an integral part of Active Directory, we also provide two DNS solutions, a simple internal DNS server for ‘out of the box’ configurations and a more elaborate BIND plugin using the BIND DLZ mechanism in versions 9.8 and 9.9. During the provision, you can select which backend to use. With the internal backend, your DNS server is good to go. If you chose the BIND_DLZ backend, a configuration file will be generated for bind to make it use this plugin, as well as a file explaining how to set up bind.

To provide accurate timestamps to Windows clients, we integrate with the NTP project to provide secured NTP replies. To use you need to start ntpd and configure it with the ‘restrict … ms-sntp’ and ntpsigndsocket options.

Finally, a new scripting interface has been added to Samba 4, allowing Python programs to interface to Samba’s internals, and many tools and internal workings of the DC code is now implemented in python.